Netatalk Security Advisory
| Subject | Heap out-of-bounds reads in Spotlight RPC element counts |
|---|---|
| CVE ID# | CVE-2026-49387 |
| Severity | High |
| Disclosure Date | 2026/05/30 |
| Affected Versions | 3.1.0 - 4.4.3 |
| Summary | Spotlight RPC unmarshalling accepts attacker-controlled per-type element counts without bounding them against the request buffer |
Description
Spotlight RPC unmarshalling can read beyond the end of the request buffer while processing client-controlled element counts for integer, date, UUID, and floating-point fields. When Spotlight is enabled, an authenticated client may be able to crash the afpd child process serving its session. Remote code execution is not evident from the out-of-bounds reads alone.
This issue is a residual sibling of CVE-2026-44066, whose earlier remediation did not cover these per-type element counts.
Patch Availability
Apply CVE-2026-49387,CVE-2026-49388.patch to a Netatalk 4.4.3 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L (7.1)
Workaround
Disable Spotlight indexing in afp.conf, or leave undefined because it defaults to no:
[Global]
spotlight = no
This prevents the vulnerable code path from being reached entirely.
Credits
Vulnerability reported by:
Michalis Vasileiadis (@vmihalis)
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
